github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
12,181 Commits 3 Branches 2 Tags 112 MiB
master
Commit Graph

16 Commits

Author SHA1 Message Date
Fu Wei
5885db62c8
Merge pull request #8136 from everpeace/fix-additiona-gids-to-read-image-user 
[CRI] fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty
 2023-04-09 14:59:07 +08:00
Maksym Pavlenko
126ab72fea Keep linux mounts for linux sandboxes on Windows/Darwin 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-03-29 19:00:06 -07:00
Shingo Omura
50740a1a0c
use strings.Cut instead of strings.Split for parsing imageConfig.User 
Signed-off-by: Shingo Omura <everpeace@gmail.com>
 2023-03-14 13:52:03 +09:00
Shingo Omura
727b254039
fix userstr for dditionalGids on Linux 
It should fallback to imageConfig.User when no securityContext.RunAsUser/RunAsUsername

Signed-off-by: Shingo Omura <everpeace@gmail.com>
 2023-02-19 22:09:00 +09:00
Akihiro Suda
3eda46af12
oci: fix additional GIDs 
Test suite:
```yaml

---
apiVersion: v1
kind: Pod
metadata:
  name: test-no-option
  annotations:
    description: "Equivalent of `docker run` (no option)"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),10(wheel)" ]']
---
apiVersion: v1
kind: Pod
metadata:
  name: test-group-add-1-group-add-1234
  annotations:
    description: "Equivalent of `docker run --group-add 1 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),1(daemon),10(wheel),1234" ]']
  securityContext:
    supplementalGroups: [1, 1234]
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234
  annotations:
    description: "Equivalent of `docker run --user 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root)" ]']
  securityContext:
    runAsUser: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-1234
  annotations:
    description: "Equivalent of `docker run --user 1234:1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=1234 groups=1234" ]']
  securityContext:
    runAsUser: 1234
    runAsGroup: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-group-add-1234
  annotations:
    description: "Equivalent of `docker run --user 1234 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root),1234" ]']
  securityContext:
    runAsUser: 1234
    supplementalGroups: [1234]
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-10 15:53:00 +09:00
Maksym Pavlenko
40be96efa9 Have separate spec builder for each platform 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:12:25 -08:00
Maksym Pavlenko
fdfa3519a3 Remove unused params from platformSpec 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
f43d8924e4 Move most of OCI spec options to common builder 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
21338d2777 Add stub to build common OCI spec 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Rodrigo Campos
a7adeb6976 cri: Support pods with user namespaces 
This patch requests the OCI runtime to create a userns when the CRI
message includes such request.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-12-21 17:56:56 -03:00
Qasim Sarfraz
0c4d32c131 cri: add pod uid annotation 
Signed-off-by: Qasim Sarfraz <qasimsarfraz@microsoft.com>
 2022-11-19 01:12:02 +01:00
Kazuyoshi Kato
6596a70861 Use github.com/containerd/cgroups/v3 to remove gogo 
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
 2022-11-14 21:07:48 +00:00
Ed Bartosh
8ed910c46a CDI: configure registry on start 
Currently CDI registry is reconfigured on every
WithCDI call, which is a relatively heavy operation.

This happens because cdi.GetRegistry(cdi.WithSpecDirs(cdiSpecDirs...))
unconditionally reconfigures the registry (clears fs notify watch,
sets up new watch, rescans directories).

Moving configuration to the criService.initPlatform should result
in performing registry configuration only once on the service start.

Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
 2022-10-12 13:45:20 +03:00
Ed Bartosh
eec7a76ecd move WithCDI to pkg/cri/opts 
As WithCDI is CRI-only API it makes sense to move it
out of oci module.

This move can also fix possible issues with this API when
CRI plugin is disabled.

Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
 2022-10-12 13:45:20 +03:00
zounengren
d121efc6d8 replace with selinux label 
Signed-off-by: zounengren <zouyee1989@gmail.com>
 2022-07-24 20:11:16 +08:00
Maksym Pavlenko
cf5df7e4ac Fork CRI server package 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2022-07-13 10:54:59 -07:00